12-20-2006 8:00 AM
Could anyone advise me on how to maintain user accounts on auditing basis?
From SUIM I have extracted users, the Roles & Profiles that was used, and the Transactions assigned to them.
But on auditing point of view/SOX Complaince, I wish to know about this.
Any idea?
ann
12-20-2006 3:05 PM
Hi,
In respect of user
Auditors would choose user ID randomly and ask for some of the following
1. Who created user ID process of approval
2. List of active user (you can have customized report)
3. Change documentation (modify or adding additional roles)
4. Validity of user (for Temp users)
5. Deleting of User ID process
For more information on
SAP Solutions for Governance, Risk, and Compliance: Access and Authorization Controls
http://www.sap.com/solutions/grc/accessandauthorization/index.epx
Cheers
Soma
12-21-2006 1:20 AM
Halo Soma,
Thanks for your time !
Sure, I shall look into the docs.
I am aware that it is not a good practise to create each profile for every individual Role.
Can you give me an overview, how to overcome this situation?
Rgds,
Ann
12-21-2006 2:53 AM
Soma, just to add further to my clarification.
We have 2 Plants, X100 & Y100. So for an Engineer, if we need to give him access to MM02 (for ex.) my client has setup 2 different Roles & 2 Profiles for each Roles.
The reason why they seperate is becos some group of users may not need to have access to MM02 under plant Y100.
Becos of the above reason, I can find a lot of roles & profiles.
There are 17 dept's totally. I wish to know how I can align & reduce the roles & profiles.
Can I say that I can create 1 Role & 1 Profile for each dept & add the transaction codes to this role.
But if I do this way, say in the same dept if another person need NOT have access to all transaction code under this Role, how do I seperate him or her.
Pls suggest a best method.
Thanks,
Ann
12-21-2006 5:04 AM
You would typically set up an imparting role containing all of the transactions, and then derived roles from that imparting role that contain the organisational level splits.
This ensures consistency across the organisation, and reduced maintenance.
12-21-2006 5:27 AM
Justin, thanks for your reply.
Could you explain in detail how to create imparting role & derived roles.
I am not a basis consult so I do not have idea about it ...
my client is eager to know ....
Regards,
Ann
12-21-2006 6:27 AM
I would like to know on the below too..
Is profile creation a must in authorization? I know that we assign the t-codes to a role.
But should a role be always tied to a profile?
My second question is:
we have 2 plants - X100 & Y100.
I have a dept say Engg dept - where I have a mgr & 4 engineers.
2 of them are incharge for X100 & the other 2 for Y100.
Say I have created 3 Roles & 3 Profiles.
1 for Mgr adding wider access & other 2 roles for the 4 engineers for 2 diff. plants.
But if it happens that if the 2nd engineer should not have access to all those of engineer 1 in plant X100 how do I do it in that way?
Is there any option to uncheck the profiles that is not needed for the 2nd enginner but to the first one
Sorry that I had to write a lot ..
cheers,
Ann
12-21-2006 4:17 PM
Hi Ann,
Can you let me know what the version of R/3 is?
I will explain the concept of Generic and Derived role.
A Generic (or some call as Parent role) will have all T-Codes and organization levels (Plant, Shipping point, Purchasing Organization, Purchasing Group... Etc)
When you create a derived role (child role) you will all the T-Codes and authorization values same as parent. <b>Except Organization levels</b>.
To Make you more clear I will explain with example:
You have 2 plants X100 and Y100 and 2 Administrators (you want assign same authorization for both administrator but restrict with plant (i.e 1st with X100 and 2nd with Y100)
Then you can use the concept of Generic and derived.
In Generic (Parent role) (ex: Parent_role) you can have both values (2 plants)
While in derived role (ex: Derived_role1) (child role) you can restrict with plant X100 (Org Levels)
In 2ndderived role (ex: Derived_role2) (child role) you can restrict with plant Y100 (Org Levels)
By creating 2 derived roles and assign to two users (Administrators 1st and 2nd)
Now both has the same authorization and restricted with Plant
I hope you are clear.
Now I will explain how to create Derived role with restrictions.
When you create new role you will have option in the Description tab.
Transaction inheritance (right side of the tab)
Derive from Role (Enter the Generic (parent) role name here)
By this the role will be the Derived role of the Generic role (parent)
In the authorization tab when you in edit mode/view mode (Display authorization data)
When you want view/change click (Ctrl+F8) or Organizational levels button on the menu
You will be displayed with list of Org values (you can maintain here the values)
I hope you are clear, if you need more info let me know
Cheers
Soma
12-22-2006 1:22 AM
The only thing I can really add to the above post is that security and controls is really a specialist skill. Security is one of the major internal controls that mitigate business critical risks. It's not something that should be attempted without strong knowledge and experience as you will expose your client to all sorts of critical risks.
Do you have access to a security specialist/architect who can come in and provide some advice on your security strategy?
If you really insist on attempting to develop a security strategy/approach yourself, then I recommend that you familiarise yourself with this section:
<a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/49/15b93a38f43355e10000000a11402f/frameset.htm">SAP Identity and Access Management</a> It answers your questions and provides further information that you will need to make decisions on how to split your organisational authorisations.
12-22-2006 1:59 PM
Ann,
you need to have a good knowledge of SAP security.
Please check below link where you can find all of the SAP security guides -
https://websmp104.sap-ag.de/securityguide
Ofcourse, you need an OSS id to get these guides.
If you are using roles for authorization management, forget about profiles. PFCG will take care how many profiles it needs and which auth to which profile. Instead, learn about Single/composite, Parent/Derived roles.
Fro your situation, use derived roles. Define Organisational elements in the parent role and while creating child roles, you just need to define specific org. elements for child role only once. After that, whatever change you make to parent role, it will be copied to child role (except org.elements, they never change.)
Check below link if you do not have OSS access (and also if you have - its very useful)
http://help.sap.com/saphelp_46c/helpdata/en/52/671d66439b11d1896f0000e8322d00/frameset.htm
12-27-2006 1:01 AM
Thanks Amol, Justin, Soma for all your advises.
Yes, I do have OSS id. I will explore more on it !
Rgds,
Ann